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^AiM-SBeMSg^iibrMfi^ns. 7'dwa(!)s 

10 B5ta7'P^A3«a5fe«e#©£, 

«x»rti*»*^-*\ «wa»RiiEfTit?ii»«*. 
•WA^-rs^s-e&s. H>ri27-p^7A^f?gi?ffiFoj 

A*#S«t. 

7-p ^ A ftgRXfr *Jh»S?*S i . 

?*p A^^ffi^a©W3eiS**»-r***i^«: 
^py7A^Htf»ibliR^S». ^n^ 7 Ai 
fQWT A * JWRSSIfr SCi 5ri¥ bJ L . 
20 -7'p A^«5fe«^m©*iJ^*S^*^t?*S^tc 

«, yaif^M.mw.m^fmitm^mt, I'mr^^m 
«9iff ^ p f 5 a « losiff r ici *g;±-r £ 

C<fc£#SSt<LU 

at. a jm»»^R±aiR^s««wf as»s5tT 

■TOtlHRfcfieoT. ^P^^A)gig?|ltfSiJ^©*^'py 

■5. ©^-rnd^stRrsci^^i-r^. ^n^7 

30 [ 5 ] ^n?7 A%m$fe«s*e©«5£^^ 
5-e*£t§^. ^py^Ac^^f^i^or-r-E.*^^ 

ck O'if 3}?^ 407-0^7 AUtf SIS. 
[«*^ 6 ] flUfflflMRt* I P T Kuxm. Vu V 

^Afgm^j^sts, 1 pt F\szzm^xmj£*n 

5Ci^MitS, 2. 3. 4. 5IBiS© 

7-p^7A^filg„ 

CIS*5S7] WJflflMaBURL***. ^B^7AH 

40 mftWM^m io5«, url *ffli>r«s*ff ^ci 

*4*«i-rS. IMC9I1. 2, 3. 4, 5te«©7-py 

^JS'&tT^ci^mi-rs. m«3gi. 2. 3. 4. 

5 lEiS© 7*P y7A^!fSI. 

[^w©»itti%^] 

[000 1 ] 

so i^a^A^^vn-Kl, T-a^^A^PRH 
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errs. 

[0002] 

©/<:#>©* v h 7- *«ttJgSS<Dg3fc*5i«g -p-C^S. 

[0003] h 7-*£at;-C7'a^-7A©Efia 1 

•5. &£©^<©#J.£#s£gft.5„ 

[0004] »C3>b - a -f ^>^©^ft?B, 
l,^fc^P ^7 A©Eft««3g&CfT&*>tt-CI,>S. 

[OOOSl^OM^tOK, h©7 
i^tf-^i. :/^-tF£t£i2-fcPC©Pi8©*? h7- 

[0006] si#>ft/c* ? h 7 - ^©tc-C«. fOTSte 
[0007] 2rr. H#>ttfc* 5» h 7- 

tt. JWT©C<t**-y h7-^Wffl*(Cj:SUX^©^ 
ffl<0±"Cffft9it»91«ft*fiFO. 1. Si^5fe*5^0l/ 
Jtti^-C&SCi (tSM^i^Dl) . 2. =»>^>7*5e 

14). 3. 3>^>7*i-en**ijffl-rsis^-c/g:^^ 

[00081 -3SD Mfrtltc* -y h V-V £«. ±fE© 

i. 2. 3. *J3S£fc«H3n*aw-ca:tttr>. -e©fc 

A*. -eo£«Sli=>-r(cfiJffl^J^7>a- fu ntf 

[00091 -S, Hlfrtlfc*^ h!7-*£l;W*C»K 
ffiii-rs=»>^>^?:^7>ci- FT SBSfc. a>-f-> 
7©Bg#<b^3>-^>74^7>P - F-T-5K©*iJffl# 

©tssEtt mcmwfe E<p-jm*m&z tec* -?r. ±ie 

©1. 2. 3. ©j6*«HT5*» h7-^4>#ft-T 
•5. C©14Jt£}fo*-y F7-*£ rgjD6*lfc** h 

[ooio] £«tteoc»-ttftccif innate • ££14 

RKctt. fiffi-C^SEftTc^f^L/c^feT-ay^A 
[0 0 1 1 ] Jm*Tg^|§Cc#-r£:7-n^AEfsit 

«. us u^ts^^- *©«§&£#££ • JEKitctf 
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7 - * s n s c t ifim. s u <, 

[0012] HIS. ^T©f£1«£3§fitt£ffl5£U/c* v 
h7-*«. N6^©#SK:J:or±fa©i . 2. 3. 

[0013] mtf^T©mB£fflt,>fc§«©1J---trx 
fc, mt£©*? h?-***WIt,. ilfitcj:**? h7 
- ? ©fiJfflCCf* o K&*iEWK:fTtt 5 s£&S1£j&> 6 . -£© 

io •y--vxizfflct>ntt* y h7-*-csui£*vci,>s„ 
3>^> > >«:Bg#{t^©j!! : s^m^c£(c 

[0 0 14] 

* vv~?wkK.mm-tz>t£iiK -g(5©tasr«Bit6 

20 *?h7-*£, ^HtSSi©*lfDtt«. 4-f^3 6(Cil5 
[0015] C©<fc 5 &tKffi{C*St,»T WSfctC&^fcJ: 5 

[0016] — IXDjg&SIW:. T/Cli^A^fgf^fr 

30 [0 0 1 7 ] C©»?&^££-?TI,>5tt3limcT--*'r- 
[0018] ^miSi L-T© J a v amigtJ. *7V> 

sHfttt. ^ttt©^3. eE#©P3^a^©«ss. 

[0 0 1 9 ] J a v aT-tf^fttt, Jav 

a Vm-?isZs£ 1^7 7">; jrftfll K * 0 if =7 A 

* t-?>o s icttffu^ct^'a 2**m&rc% -Sit*. 
40 ^«^Stc*j^-C7-uy^AEfi?:ll^'S©K:WM^ 

[0020] Javatt, 

fiKttJavatt, «T©«fcO&«®E««*^ori» 

[0 02 1 ] (LauraLemay, charles 
L. Perkins. "TeachYourselfJ 
avain21days" Prent iceHal 1. 
50 1 9 9 6) 1. J a v am^e-©fc©*i^tt©lSl># 
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fgf±«£J$oT:ter> . J a v aSfSK £-?TSl**&^ 
«3-F*fl^TSC£l*B»Cfc-9Tt»S. 09*«\ 

5Cilir*&l>. 2. Javarav-»B, mfB 
jS, (J a va>7^7 7-fW #iEtA>8M!JieraoTe 

vaEBv-»ii)g|at5. 3. lESv^XD^ny? 

Ctttftl». 4. J a vaAP I*iffi«-re^tggf». 

[002 2]£(±©<);5(CJavatt 1 H»*B*»6:/ 
ay-7A^f^^r©#u^;i-(cfc(,^r» &H&tfciEtg 20 
t^fl/tl,^^. C©<fc5£rfgt&£f#fci*/cfc«>. J 
a v alRSvi/XJ^OifptDfcfttC^ftfffljit'J 

[0 02 3] m«2 ^JUT {g.«vS/>» 
mffig.'POJ ava©^3-F(c*fL,r7a-W#f 

(A. Aho. R. Sethi. J. Ul lman. " 
compilerPrinciples, Techin 
iques, andTools", Addison — W 
s e 1 e y, 1 9 8 6) £fr*>&Wft«ft'5-r. Ctlit 
Java(SSv-»©HS3-Ht-fXi^t'Jt 30 
<D*9rt*S< (SCSUCfcSi. 2. <DmE&mZffiZ.tj: 

^m^<DU&m J <^'jm.titmL-c, 1. 5~3. o<s 
. 

[0 0 2 4 ] 36KCft6©tfclB!!SB, VUif^A<D 
mT<Plc$>Utl,l&&£.-?Zt><b-C$>2>tcib> Java 
<&«v^>©^g©*^&7^K U *iI(C7'P^-7A 

coo25] mmm^m-vita^hicM-r^mim 

[0 0 2 6] ffl*.(2JKtt«8CCJ ava^JstSS^ST 

Sntffl*ii*I^WCcfp)iSL/3lfcft«'C*iE m b e d d e 
d J a v aT-^f?ftMW T'ni/^AOidf 
©/c&K:«&{£. RAM 5 1 2K^-f K ROM 5 1 2 

(DeepakMulchandani, " Javaf 
orEmbeddedSystems", IEEEIN 
TERNETCOMPUT I NG, Maytun e 1 9 50 
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98). Cfttt>Wi>F©W**«»fc»UT*» 

S^*'JS««c^i u-c-fia©g?^sgcct^-c«A* 

[0027] 4*K. ft*SB*>B«fttt&£tC». tSM 
fm&g$t©8/l 6 b i tW3>*, &+KBSK© 

Sfc*fbr«Emb e dd ed J availfflnct 

[0 0 2 8 ] JSWBCTfiSftSjiD, JavaK^n 

[0029] *mtt*> 7"P #7 Aieft©fc«>©* ? F 

>p- F Lfc^'Pi^ A©3c£1£ • ®m& ■ tZ£\±<DU 
[0030] 

j£&*ao-c\ ^o^Ai, 7o^7A©^t7c(Di 

-?-©igft{c«t«3> 7"ny 7 Aii?c4ftt©t**», * 
[0 0 3 1 ] ^tWWL/c^P^AfcStUTB. 81 

[0 0 3 2 ] ioT^B^AS, ffiflM^US^fc 

[0 03 3] SSiltiWIHtt&^T'P^AKjfeUT 

[0034] 1 ) 3S±ffeft»«iE-c*tti»y a ^7 Afct— 

[003 5 ] C©:£i$*flKSi§^. ^O^^A^f^g 
BM&T'ny^AS- SJttfP;* 
*«*.*s&»*tt»r». ■t'o ^^A©JBS?H?f©fc»K:£. 
ett*B»*/hS <»*.«:**. S^iffiBrSJifcT'P 

[0 03 6 ] 2) a— tf(CJ:-pr^?>n/c. 7a^7 

A©^«?iiff=&f!F^j-r-s. fcsotsttitrs. ©o-rn 

[003 7] C©:fr&£BX£t§£\ 7*Pi/^A^f«§ 
*>* a- if ©«&«£<£■££ . 

[003 8] #*S?1tt£8»^©#m±. flWrc#4«r 
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W&#3KTCCte<<>T T?$>S £#;?. 6^5. 
[003 9]"5J1 a— tffci-^rNe^OSStcJ: 

[0040] P§#>ftfc*? YV-9tPh. zfU#=>K 
[0 0 4 1 ] 2 ) (D^ffiti. *©a— !f©*IWf*. :/p 

[0042] 7*p^-7A«^.-if©eBeffitc«fc-p-c7' 

P ^7 A£#?iK3ltT3-tf t^^afctfrbttftl,* 
e £**»«£& 9. ^a^AatfKa^oft^cc&s 
tjKIBMv! < W*fc* £ . ^P ?7 A*Wj£&Cl&fl? 

20 

[0 04 3] 3) YLtcy'uifvJxiAf&mts: 
fc©-C& S pJ#E14#& £ C £ £ a— tf «:» 6 tflfcffc. 
2>£*t5. 

[0 04 4] 2) t|^Dr*-5*s^P^A!&I6ff3-e 

[ 0 0 4 5 ] a— if tt*n£fl3(,\ J: »JIEtt&«K-C. 

[0 04 6] 4) ^P^A^ff^gtC. ^O^A© 30 
«S?»T©fc»©. t£*£ «SIJ©^ 2 ©#©£«!: L . 
££&#ffltc # ft (,» ^aWA »*©» 2 ©^&&c £ 

ositT-r setters. 

[0 04 7] S^ttWSnS^P^AiS^ 
^p &<DMmzft ©fc»©#S*»«-r*55rjSr* 
•5. 

[0048] C ©*§■£-. ^tttfsSSESft&l^P^ 

c£#tswu>. 

[0 04 9] C*UC«fc«J. ^fe^CT-p^^A^lSSJClft 
ift$t5Ct*i-C^5. 5) 2) ±4) ©*5$£Ih]B§ 

cc£s&©6) 3) la) ©#se*ra«#«c£afc©#» 
r^evr **>©-?$>*„ 

[005 0] 

tew. j*mmm±mmmaimut><D-c$>z>i)K 50 
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3£<S0L?cfc©-C&-So 

[005 1 ] CCTBfiK, ^-f.-Xr/WfcgfliOfc^ 

[005 2] JWT. *^©HJS©^fC-PC^-c. H9 

[005 3] *-nai B. fS*«l«:fB«E©^P^A 
»t«S©^*^ U & ©-C £> 
[0 05 4] 01©^g©Ma©-7P-^i--h?r0 5 

[0055] cnp»icot»r»cgiBjtrc>< 0 
[0056] ^spfesi8S 1 0 1 a»6sra-rs. ^p 

A 1 0 2 £f&Mt#$R 1 0 3 ». mtf'f 
[0 05 7 ] ^py^Ai*. ^g*5«^.S»f^fCJ:?) 

t,>3&6«. *©£Sg«J a v a ©Sltf^^-C* S J a 
v a *5^7t ^;U*5HtfoJt6 _ e*2>/t& > Java* 
7^77 ^;u*^a5ej^5S*jiDry'5>p- KTS„ 
[0 05 8] ISg"Jt»#K£«> ^^Ai«>o-F 

£-r-5. **te09rti. ^^©^{c-rs/ctofc^ en 
^ypi/7A©«mr-cRfflTs 0 *>s^«!©it«-c* 

[ 0 0 5 9 ] !&SiJttfB£ Otm»SC £#bJ#E&<£>© 

VMhtlZ 1 PTFUX-^. Web. FTP, Goph 
er. News. T E LN E T&£©ft$g£Jg5rr&-fi 
f&Sl-C— MKT F UXT?&£URL (Uniform 
ResourceLocator) ifi$>%>* 
[006 0 ] etscapeC o mm u n i c a 

t i onsCo rpo ra t i on(C<t5SSL (Se 
cureSocket sLayer) y'v. V zvls-cit. 

AAjri'ccK-r-S^^^-i'H >*tf *B£«:iSaE 

S L (Cffiffl ^ti-S 4>©&cft*l<* n-SBf^bS tiicm&Z; 

«±12tc^ tffc ©JW?f © fc©-c*-or€>J:Ci„ 
[006 1 ] S5CC*il,»r^:IZI©Ma-C*-5P 1057 

mmmi 03 zmmu, mmmmi. tisnfc 

[oo6 2] cft«sitc*itf-5, zfaif^M-mm^m 
m^&i o 5(c<fcoTtTfcn£Ma-ci&5o 

[006 3 ] c©^aap i o 5 (dmmiz. He>*>©^-c 
itsiJ1f$S^»)0?br. ^©«Htt?:*iM-r , #^^S*5* 
-5. mtf«T©«fc5fc7re < cn**Rf *C£*«t? 



9 

[ o o 6 4 ] fa v? j*&mftmttm i o 5 b. ffiffi 

TIT Z&i§7L*fjkL tc±X ©^SlJjffg^lBffli O/cf 1 - £ 

[0 0 6 53 aWWt«il/T v SSL^ohaA-Cffl^ 
:/P^A2£fg$fe|3j^©l 0 5B. Bg-^©«^(C^ 

[0066]ffilP104tt. 7'P^Al 0 2£B?!K 
[0 067] CjT,ttHlCC*itf£. 7'ZHf7&MffiMtf 

¥Sl i o 4 tc j: -i-cn t>nsMat?* s„ 

[0068] *^BjoDffiA^^O ^7 AJBf&EfT^gt 1 
0 4 B. 7'P A^^SItf T 5 C tJPnJtB&iWBtoi 

tc 7'P y =7 A©HtT «PR*fT 9 . 
[0069] SiiSP 1 06(2, 7"P 5^7 A 1 0 2 #57"P 
tf^MMWm^Wt. l 0 4Ccj:-,-rPf?Htf 3nscD* 

[0 07 0] CtlBil(Cfct«. 7W7J>.M%mft 

[0071] Ammzft m±$-m i o 6 omm. 

tc«. mB«T©J: 5 &&©**#* 

[0072] yuif?Amwm^m±^m i o 6 basis 

tc. S9CC7n$ti-5T— ~f)\>*iB$tth* 
[007 3] C©5 u -7';KDi> H UB. #$>P-F 

^"£"<ifB. permi tedtKUf orb i den 

©IflWtttStBp e r m i t t e d-C^SiTS,, 
[0074] Ajg^ff^S 1 0 4B. JRft£ 

J:^<t-re7-p^A©siSiJ^5:^-r-5. K^T-ST' 
py-7A<DI£j§iH L ©x> f- •;©. ^n?7AOW8^ 
•tffi*5f o r b i d d entibi*, Sc5Wii> h U 

[0075] c©*§£. i o 6B. m^-r^yu 

^7A©^'I : f©i> h V©, 7'P^7A©tfcH?r7ST 
ffl?:forbi ddentC^ItSCiWot^? 

[0076] C CTB^P y7A)PKltfl±^g 1 0 
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[007 7] MffiP 104. *S(,>B#!«P 1 0 6#** 
It Z> b . 01 -CfT fcfrSMffl^ffe&^T-r -5. 
[007 8] 02B. W^5l5ig©^*py-5AHtfS? 

[007 9] 02^6. ^P:?7 A^RS^frF^fiSS^ 

© i o 7 *m>tdmw*K i«ys2fei&©7"p ?7ah 

fT*E«©1»JiS*fiW- «> ©tc & s . 
[0 08 0] 02©^g©^S©7P-^-»'-h5rS6 
10 tC7js-3" 0 

[0 08 1 ]I6(Cfcl»T, P207©M1^ r<5J4> O 

(cg^Mfc^o*, i»^2fBig©K§©^a 

[0 08 2] ctt6tcou-aistct&Bjii,-c<,><. 
[008 3] ^speM8§ i o i #><E>^frr&. -fay? 

Al 0 2*sJ:tfi®5iJ1itf8l 0 3B. 5fctCi&lpil/fck©<i 

[0084] m6icis^-cmtn<Dmm-c$>^P2 o 5 

B, 02{cfcW^^P^7A^m$fe*'J^I51 0 5(CJ: 

20 -»-cfT*>*is«»'c*9. 5ttcmHjL/fcp 1 0 5 tmo 
turner 5» 

[008 5] teSP 2 0 7 B. 7*P V? A©»f ^fpoJ 

r -5 »f tcfsjt, ^fo-a- 

[008 6] CftB^tCfcWS. 7*P^7Aftgfg|?f 
lf"5JSgi§^l8 1 0 7 tC «fc oTtffenSA!lffl-C&-S 0 
[0 0 8 7 ] WLBCftB. SSgasffi^-S-TW^W 

tc, 01 ooi^^a^^f^ci-cn^-c^s., 

[008 8] MSP 2 0 9 B. ^"P 5^ A©Hfr*flPiiJ 

30 tS#R 1 0 8 £f#-5>„ 

[0 08 9] C*x«02tC*$W.S, yp^^ASgf?*^ 

i*niA*#©i 0 9tc«tr?rtft>n-5^a-c*s„ 

[009 0 ] m&<D3.— tfB. MSP 2 0 9 
WK. <6I6^©^S^^gtC>FtOTtf ^» 7*P^7 

Anwaaftt?iA**a»v *©aus«w**w. sis 

rtSP©^- ^ t u-r . 7*p ^ AJKS^f Hp njtf $8 1 0 

8££/£T*,, 

[009 1 ] a— !f{C«fcS«B*W«v St*5fi5A 

40 h -7 ^ y 3 -f^f^^, ^tc<fc ^ A^JglfP 

©ffi^b-tftcfcor, *€>C^BCti6©j*^:S:f51feU 
J&CiCitCioT^tSn^. 
[009 2] 09^.B • a-tfli. " IStfe" 
tc&, - 0" il>0?f^*. ^gtc*fL 

Tff5. cntCiotggB. ^T©^P^7A©^f 

W-jT" maze, c j " t^^SC^i^H 

-<±-c3i!Ru/cfttc. M 1 " #£>&itrr. cntcj;-, 

tig«. "maze, c j " it^l^iJS^o^p 
50 ^7A©»fA^±$nfc<b(,^tffB*f#^ 0 -a— tf 
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(*. H2MP2 0 9**m3ft£if(TK:. ^a?7A©WT® 
f^/»±£fg^-r*!|$5£©A;fr£. M6 £Sgtc*fbr 
#*ft*>ofc<!:-r.5„ CtlKio-Cilgti. " maz 
e. c j " <bl^aSiJ«?:}#-57-n^7ACD|^f*^± 

[0 09 3] a— !f <DMS.mmt. $HMP 2 07 iJiM 

i/-cnjg$nr*>^». 09* tf. • s i o©^3&5ff^c 

(C^UTtf^. cnKiot^Stt, "maze, c 

r ±^5mi!%zt$r>7u>?7&<Dmm i fr'zj2titc 10 

[0 094] C C"C«" 0 " , " 1 " , " Wilfe" 5 
* * > i # +;l4Mfc©«*^*>tf K: <£ S 0 

©tWC^T U Af}mS(Dm^t>^i>m<D 

[0 09 5] &SP 2 06 Att. 7'a ^5 A^Ufflt 

[0 0 9 6] Cn«0 2iC*5l,>r. ^a^7A^!|?||ff 20 

^±*© i o 6 K«fc ^rtf^n-s^ffi-c^-s., 

[0 0 9 7] jMP2 0 4lt zfn?5& 1 0 2£8?f? 
[0 09 8] CtlBI2Ktet«, ^d^A^f^f 
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(54) [Title of the Invention] APPARATUS FOR INTERPRETING PROGRAM 
(57) [Abstract] 

[Object] To realize the assurance of security, confidentiality, and integrity of downloaded 
programs simply and at low cost in household electrical appliances having the function of 
connecting to networks to receive distributed programs. 

[Solving Means] An apparatus for executing a program includes interpreting means 104, 
secondary interpreting means 110, source determining means 105, input means 109, and program 
interpretation forbiddance selecting means 112. If the source determining means 105 determines 
that identifying information of a program 102 indicates a trusted source, the program interpretation 
forbiddance selecting means 112 permits the interpreting means 104 to interpret the program 102, 
and if not, the program interpretation forbiddance selecting means 112 forbids the interpreting 
means 104 from interpreting the program 102. 
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[Claims] 

[Claim 1] An apparatus for executing a program, the apparatus receiving a program transmitted 
through an external communication channel and identifying information transmitted through the 
external communication channel, the apparatus comprising: 
interpreting means for interpreting the program; 

source determining means for determining whether the identifying information indicates that 
the program is transmitted from a trusted source; and 
program-interpretation forbidding means, 

wherein the program-interpretation forbidding means forbids the interpreting means from 
interpreting the program in accordance with the determination performed by the source determining 
means. 

[Claim 2] An apparatus for executing a program, the apparatus receiving a program transmitted 
through an external communication channel and identifying information transmitted through the 
external communication channel, the apparatus comprising: 
interpreting means for interpreting the program; 

source determining means for determining whether the identifying information indicates that 
the program is transmitted from a trusted source; 

program-interpretation forbidding means; and 

input means by which a user inputs permission information indicating either that the 
program is permitted to be interpreted or that the program is forbidden from being interpreted, 

wherein the program4nterpretation forbidding means forbids the interpreting means from 
interpreting the program in accordance with the permission information. 

[Claim 3] An apparatus for executing a program, the apparatus receiving a program transmitted 
through an external communication channel and identifying information transmitted through the 
external communication channel, the apparatus comprising: 
interpreting means for interpreting the program; 

secondary interpreting means being second means for interpreting a program; 
source determining means for determining whether the identifying information indicates that 
the program is transmitted from a trusted source; and 
program-interpretation selecting means, 

wherein the program-interpretation selecting means selects permitting or forbidding the 
program from being executed by the interpreting means in accordance with the determination 
performed by the source determining means, and in the case that the program is forbidden from 
being interpreted by the interpreting means, the program is executed by the secondary interpreting 
means. 

[Claim 4] An apparatus for executing a program, the apparatus receiving a program transmitted 
through an external communication channel and identifying information transmitted through the 
external communication channel, the apparatus comprising: 
interpreting means for interpreting the program; 

secondary interpreting means being second means for interpreting a program; 
source determining means for determining whether the identifying information indicates that 
the program is transmitted from a trusted source; and 

input means by which a user inputs permission information indicating either that the 
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program is permitted to be interpreted or that the program is forbidden from being interpreted; and 
program-interpretation forbiddance selecting means, 

wherein, in the case that the determination performed by the source determining means is 
that the program is transmitted from a trusted source, the program-interpretation forbiddance 
selecting means permits the interpreting means to interpret the program, and, in the case that the 
determination performed by the source determining means is that the program is not transmitted 
from a trusted source, the program-interpretation forbiddance selecting means forbids the 
interpreting means from interpreting the program, 

wherein, in the case that the determination performed by the source determining means is 
that the program is not transmitted from a trusted source, the program-interpretation forbiddance 
selecting means selects permitting or forbidding the secondary interpreting means from executing 
the program in accordance with the permission information. 

[Claim 5] The apparatus according to claim 2 and claim 4, further comprising inquiring means for 
inquiring of a user whether the program is permitted to be interpreted in the case that the 
determination performed by the source determining means is that the program is not transmitted 
from a trusted source. 

[Claim 6] The apparatus according to claims 1, 2, 3, 4, and 5, wherein the identifying information 
includes an IP address, and the source determining means performs the determination using the IP 
address. 

[Claim 7] The apparatus according to claims 1, 2, 3, 4, and 5, wherein the identifying information 
includes a uniform resource locator (URL), and the source determining means 105 performs the 
determination using the URL. 

[Claim 8] The apparatus according to claims 1, 2, 3, 4, and 5, wherein the identifying information 
includes an encrypted signature, and the source determining means performs the determination 
using the encrypted signature. 
[Detailed Description of the Invention] 
[0001] 

[Technical Field of the Invention] The present invention relates to an apparatus and method for 
verifying a downloaded program in an environment for downloading a program over network 
communications and for interpreting the program for use in particular applications, such as 
household electrical appliances. 
[0002] 

[Description of the Related Art] In recent years, the need for the ability to connect to networks to 

deploy programs distributed therethrough in household electrical appliances has grown. 

[0003] The distribution of programs over networks facilitates updating and adding new functions to 

household electrical appliances and leads to new services, and therefore, it offers many advantages. 

[0004] In the field of computing, such program distribution has been widely used. 

[0005] A typical example is a network between a web server on the Internet and a personal 

computer (PC) including a browser. Anyone who uses this network can freely download content 

from sites on the network and use them. Networks of this type are referred to as "open networks" 

herein. 

[0006] In open networks, users can freely download programs existing in the networks and execute 
them. 
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[0007] However, in open networks, verification of the following items relies on network users: 1. 
The source of connection is the one intended by a user (authentication and permission); 2. The 
content is never altered or intercepted in transmission paths (integrity and confidentiality); and 3. 
The content will never pose a threat to the environments in which it is used (security). 
[0008] In other words, the items 1 to 3 described above are not entirely assured in open networks. 
Therefore, users may unknowingly download and execute dangerous programs created by a 
malicious third party. 

[0009] In contrast to open networks, there are networks that assure the items 1 to 3 described above 
by requiring encryption of the content and/or user authentication in downloading the distributed 
content. Networks of this type are referred to as "closed networks" herein. 

[0010] In general, household electrical appliances require high reliability and security. Therefore, 
in the distribution of programs used for household electrical appliances, it is desired that only a 
secure program sent from a trusted source be downloaded. 

[0011] In addition, in the distribution of programs used for household electrical appliances, billing 
and data protection must be performed accurately and securely in many cases. Open networks are 
insufficient for fulfilling these requirements. Therefore, it is preferable that the distribution of 
content for household electrical appliances use closed networks. 

[0012] Actually, current networks for use in household electrical appliances are "closed networks", 
which assure the items 1 to 3 by some means, in most cases. 

[0013] For example, in various current services employing telephone networks, billing for network 
utilization through calls needs to be performed accurately. As a result, such services are 
implemented by closed networks. Closed networks may be further secured and become less 
vulnerable by subjecting the content to other processing, such as encryption. 
[0014] 

[Problems to be Solved by the Invention] However, even in the field of household electrical 
appliances, some devices are already well on their way to connecting to open network environments, 
typified by services of cellular telephones capable of connecting to the Internet. It is conceivable 
that household electrical appliances will have increased compatibility with open networks, typified 
by the Internet, in the future. 

[0015] Under these circumstances, as described above, it is difficult to ensure that household 
electrical appliances download and execute a secure program only from a trusted source using 
closed networks. 

[0016] One solution is that execution environments for interpreting programs have a mechanism 

for verifying that programs are not dangerous. 

[0017] A typical architecture implementing this solution is Java. 

[0018] The Java programming language has many advantages as a development language. 
Examples of such advantages include high efficiency in development as an object-oriented language, 
language specifications producing less bugs, portability, and abundant development environments. 
[0019] In addition, the Java architecture has a mechanism in which Java virtual machines serving 
as interpreter mechanisms interpret programs. Thus, the Java architecture is capable of developing 
programs that are independent of hardware and operating systems in devices. Therefore, the Java 
architecture is considered to be promising for realizing the distribution of programs in the field of 
household electrical appliances. 
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[0020] It is also known that Java holds high security in distributing programs (content). 
Specifically, Java contains the verification mechanism described below. 

[0021] (Laura Lemay, Charles L. Perkins, "Teach Yourself Java in 21 days" Prentice Hall, 1996) 1. 
The Java language itself has language specifications having high security, and therefore, creating 
malicious altered code by using the Java language is difficult. For example, programmers are 
unable to directly manipulate reference values in memory. 2. Java virtual machines include a 
mechanism for verifying that execute forms (Java class files) are written under correct rules. This 
prevents the Java virtual machines from interpreting programs with altered execute forms. 3. 
Program loaders in the Java virtual machines manage storage areas in groups. Class files (execute 
forms) in a "less protected" storage area are unable to invade those in a "highly protected" storage 
area and unable to refer to them without permission. For example, class files stored in a local area 
are not replaced with those deployed over the Internet without permission. 4. Functions provided 
by the Java API are designed to prevent programs from performing destructive operations. 
[0022] As described above, Java includes less-vulnerable verification mechanisms in each level 
ranging from the development language to the program execution system. To perform these 
functions, however, the Java machines require large memory usage and a high performance 
processor. 

[0023] For example, in order to realize item 2 above, the Java virtual machines must perform flow 
analysis on instruction codes in execute forms (A. Aho, R. Sethi, J. Ullman, "Compiler Principles, 
Techiniques, and Tools", Addison-Wseley, 1986). This leads to an increase in the size of code 
implemented and the amount of memory usage in the Java virtual machines. (According to a trial 
calculation, the increase is 1 .5 times to 3 times the total amount of memory usage in the Java virtual 
machines not including the verification mechanism described in item 2. 

[0024] In addition, the verification processing often occurs during program execution. This 
increases the processing load in the Java virtual machine and thus prevents programs from running 
at high speed. 

[0025] Li the field of household electrical appliances, a lower price is extremely desirable. Many 
appliances require high resource saving, low cost, and low power consumption, more so than 
computing devices. 

[0026] For example, a typical approach to installing Java on household electrical appliances is an 
embedded Java architecture, invented by Sun Microsystems, for use in household electrical 
appliances. This needs at least 512K bytes of RAM, 512K bytes of ROM, and a 25HMHz CPU to 
run programs (Deepak Mulchandani, "Java for Embedded Systems", IEEE INTERNET 
COMPUTING, May-June, 1998). These specifications are applicable to some high-end appliances. 
However, the necessary amount of memory is still large in general household electrical appliances. 
[0027] In particular, most cellular phones and white goods have an 8/16-bit microprocessor having 
a low operating frequency and memory of the order of several tens of kilobytes. It is impossible to 
apply Embedded Java to such devices. 

[0028] As described above, the approach, typified by that in Java, to embedding the verification 
mechanism in execution environments to ensure the security of programs distributed on networks is 
extremely difficult in general household electrical appliances. 

[0029] An object of the present invention is to provide means for realizing the assurance of security, 
confidentiality, and integrity of downloaded programs simply and at lower cost. 
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[0030] 

[Means for Solving the Problems] According to the present invention, an apparatus receives, 
through an external communication channel, a program and identifying information indicating a 
source sending the program. In accordance with the received identifying information, the apparatus 
determines whether the program is secure or not so as to be possibly dangerous to the execution 
environment and user. 

[0031] The apparatus permits interpreting a program that is determined to be secure. The means 
for interpreting not requiring particular processing by a verification mechanism with respect to the 
program is assumed. 

[0032] Therefore, the apparatus can execute the program at high speed while suppressing the 
amount of memory used. 

[0033] The present invention provides the following processing with respect to a program whose 
security is not assured. 

[0034] (1) No insecure program is interpreted. 

[0035] In this case, the apparatus for executing a program runs no insecure program, so that a 
verification mechanism is not required. Therefore, the apparatus can run every secure program at 
high speed while suppressing the amount of resources required for interpreting the program. 
[0036] (2) The execution of a program is determined in accordance with information provided by a 
user, the information indicating permission or forbiddance of interpreting the program. 
[0037] In this case, the apparatus leaves the user to select whether to execute an insecure program. 
[0038] Essentially, in household electrical appliances, a program is recommended to be 
downloaded only from a trusted source (probably, authorized by the manufacturer that produced the 
household electrical appliance to which the apparatus is applied) and executed. In view of these 
circumstances, downloading a program (content) over an open network is an exceptional case. 
[0039] In other words, in this case, the user needs to acquire a beneficial program (content) for 
some reason using the appliance. 

[0040] In order to acquire a program (content) over an open network, knowledge about the security 
of the program (content) to be downloaded is assumed and the user must download it at his or her 
own risk. 

[0041] In the processing (2), the selection of the user is reflected in the processing of the apparatus. 
[0042] The program is interpreted by the user at his or her own risk, and therefore, no verification 
processing is a precondition. Therefore, the apparatus can run the program at high speed while 
suppressing the amount of resources required for interpreting the program. 

[0043] (3) The apparatus informs the user of the possibility that a downloaded program may be 
dangerous, and then performs the processing (2). 

[0044] This processing is similar to the processing (2), but, in this processing (3), the apparatus can 
provide a notification to the user for prompting the selection before executing the program. 
[0045] The user employs information from the notification, so that the user performs the selection 
more accurately to provide information indicating permission or forbiddance of executing the 
program. 

[0046] (4) The apparatus includes second interpreting means separated from the existing 
interpreting means. An insecure program is executed by the second means. 

[0047] This processing has separate means, one for interpreting a secure program and the other for 
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an insecure program. 

[0048] In this case, preferably, the second means for interpreting an insecure program interprets the 
insecure program while performing verifying processing or the second means exists independently 
so as to have no adverse effect on other means in the apparatus. 

[0049] Therefore, the apparatus can run dangerous programs while assuring running of secure 
programs at high speed. (5) The processing is made up of the processing (2) and (4). (6) The 
processing is made up of the processing (3) and (4). The present invention provides these means in 
an apparatus for executing a program. 
[0050] 

[Embodiments] The present invention is applicable to general program-execution environments 
connected to external communication channels. In particular, the present invention is intended to be 
applied to household electrical appliances requiring higher resource saving and lower cost. 
[0051] Embodiments in which the present invention is applied to a mobile terminal including a 
display and being capable of being connected to the Internet are explained. 
[0052] The embodiments are described with reference to the drawings. 

[0053] Fig. 1 shows the structure of an apparatus for executing a program according to claim 1 . 
[0054] Fig. 5 shows a flowchart of processing in the apparatus shown in Fig. 1. 
[0055] The structure and processing are described step by step. 

[0056] A program 102 and identifying information 103 are received through an external 
communication channel 101 by downloading them through, for example, networks, such as the 
Internet. 

[0057] The program can be acquired as data having a form interpretable by an execution system 
included in the apparatus. For example, if the apparatus includes a Java virtual machine, the 
apparatus is able to execute Java class files, which are an executable form of Java, and thus, a Java 
class file is downloaded through the external communication channel. 

[0058] The identifying information is used to identify a program by, for example, locating a source 
from where a program is sent when the program is downloaded. For the sake of simplicity, the 
name of the program is used as the identifying information in this embodiment. The identifying 
information may be other information. 

[0059] Examples of such identifying information include BP addresses, one being a unique address 
assigned to each device on the Internet, and uniform resource locators (URLs), one being a 
worldwide unique address for identifying information in the hypertext transfer protocol (HTTP), 
file transfer protocol (FTP), Gopher, News, and Telnet. 

[0060] According to the secure sockets layer (SSL) developed by Netscape Communications 
Corporation in the United States, cross-verification is completed through negotiations regarding 
algorithms for authentication, encryption, and digital signatures before data is exchanged. An 
encrypted signature, typified by the one used in the SSL, may be used as the identifying information. 
Of course, it will be understood that the identifying information may be another type of information 
other than the information described above. 

[0061] In the first process P105 in Fig. 5, the identifying information 103 is read and it is 
determined whether the identifying information 103 indicates a trusted source for transmitting a 
program. 

[0062] This process is performed by source determining means 105 shown in Fig. 1 for 
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determining whether a source sending a program is trusted. 

[0063] In order to realize process P105, it is necessary to read the identifying information in some 
way and determine whether the source is trusted. This is achieved in the following way, for 
example. 

[0064] The source determining means 105 retains data in which all identifying information 
indicating trusted sources is recorded. The determination is performed by checking identifying 
information for a downloaded program with this data and, if the identifying information is present 
in the data, determining that the identifying information indicates a trusted source, if not, 
determining that identifying information does not indicate a trusted source. 

[0065] In the case that an encrypted digital signature, such as the one used in the SSL, is used as 
identifying information, the source determining means 105 can determine whether the identifying 
information indicates a trusted source by success or failure in decryption of the encrypted signature. 
The determination may be performed by other means. 
[0066] In process P104, the program 102 is interpreted. 

[0067] This process is performed by program interpreting means 104 shown in Fig. 1. 
[0068] The interpreting means 104 included in the present invention has a mechanism similar to 
known execution systems included in environments capable of interpreting a program, and 
interprets a program in a manner similar to the known systems. 

[0069] In process P106, the program 102 is forbidden from being interpreted by the interpreting 
means 104. 

[0070] This process is performed by program interpretation forbidding means 106 shown in Fig. 1. 
[0071] The program interpretation forbidding means 106 is realized by, for example, the following. 
[0072] The program interpretation forbidding means 106 retains the table illustrated in Fig. 9 
therein. 

[0073] An entry in this table is made up of identification data of a downloaded program and a 
corresponding value indicating the status of the program. The value indicating the status of the 
program can take only two possible values: "permitted" or "forbidden". The initial value when the 
entry is recorded for the first time is set to "permitted". 

[0074] The interpreting means 104 refers to the table shown in Fig. 9 to search for identification 
data for a program to be interpreted before starting interpreting the program. If the value indicating 
the program status associated with the identification data is "forbidden" or an entry of the 
identification data is not present in the table, the program is not interpreted. 

[0075] In this case, process PI 06 is realized by changing the value indicating the status to 
"forbidden". 

[0076] In this embodiment, the program interpretation forbidding means 106 uses the table, but it 
may use another structure, such as a tree, a list, or a hash. 

[0077] When process P104 or P106 is finished, the entire processing shown in Fig. 1 is then 
completed. 

[0078] Fig. 2 shows the structure of an apparatus for executing a program according to claim 5. 
[0079] The block diagram, in which inquiring means 107 for inquiring of a user whether the 
program is permitted to be interpreted is removed from the structure shown in Fig. 2, shows an 
apparatus for executing a program according to claim 2. 

[0080] Fig. 6 shows a flowchart of processing in the apparatus shown in Fig. 2. 
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[0081] The flowchart, in which process P207 is replaced with "performing nothing" in Fig. 6, 
shows processing in the apparatus according to claim 2. 
[0082] The structure and processing are described step by step. 

[0083] The program 102 and the identifying information 103 received through the external 
communication channel 101 are the same as those described above. 

[0084] The first process P205 in Fig. 6 is performed by the source determining means 105 shown 
in Fig. 2 and is the same as process PI 05 described above. 

[0085] In process P207, an inquiry as to whether to permit executing the program is made to a user. 
[0086] This process is performed by the inquiring means 107 shown in Fig. 2. 
[0087] This process is realized by, for example, displaying information shown in Fig. 10 on a 
display screen included in the apparatus. 

[0088] In process P209, permission information 108 indicating whether executing a program is 
permitted or not is acquired. 

[0089] This process is performed by input means 109 by which a user inputs permission 
information, shown in Fig. 2. 

[0090] Before process P209, the user of the apparatus provides to the apparatus a response 
indicating the user's selection. Upon receipt of the response, the input means 109 creates the 
permission information 108 in the form of data within the apparatus. 

[0091] The user provides the response by operating input devices, including a key, switch, dial, 
mouse, trackball, and joystick, in combination or by doing nothing. 

[0092] For example, the user pushes a "function" key and then pushes a "0" key on the apparatus, 
so that the apparatus acquires information indicating permission to execute all programs. For 
example, the user selects the character string "maze.cj" by operating the dial on the screen and then 
pushes a "1" key, so that the apparatus acquires information indicating that a program with 
identification data "maze.cj" is forbidden from being executed. For example, if the user does not 
give any specific input regarding permission or forbiddance of the execution of the program before 
process P209, the apparatus acquires information indicating that the program with the identification 
data "maze.cj" is forbidden from being executed. 

[0093] The response indicating the user's selection may be performed in conjunction with process 
P207. For example, when the screen displays information shown in Fig. 10, the user then pushes 
the "0" key on the apparatus, so that the apparatus acquires information indicating permission to 
execute the program with the identification data "maze.cj". 

[0094] In this embodiment, operations of the keys "0", "1", and "function" and the dial, in 
combination, are described. The selection of keys and the sequence of operating keys described 
above may be changed. The combination of the input devices described above may also be changed. 
[0095] In process P206A, the permission information 108 is read and the determination as to 
whether the user permits the execution of the program 102 or not is performed. 
[0096] This processing is performed by the program interpretation forbidding means 106 shown in 
Fig. 2. 

[0097] In process P204, the program 102 is interpreted. 

[0098] This processing is performed by the interpreting means 104 shown in Fig. 2 and is the same 
as process PI 04 described above. 

[0099] In process P206B, the program 102 is forbidden from being interpreted. 
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[0100] This processing is performed by the program interpretation forbidding means 106 shown in 
Fig. 2 and is the same as process P106 described above. 

[0101] When process P204 or P206B is finished, the entire processing shown in Fig. 2 is then 
completed. 

[0102] Fig. 3 shows the structure of an apparatus for executing a program according to claim 3. 
[0103] Fig. 7 shows a flowchart of processing in the apparatus shown in Fig. 3. 
[0104] The structure and processing are described step by step. 

[0105] The program 102 and the identifying information 103 received through the external 
communication channel 101 are the same as those described above. 

[0106] The first process P305 in Fig. 7 is performed by the source determining means 105 shown 
in Fig. 3 and is the same as process P105 above. 

[0107] In process P304, the program 102 is executed by the interpreting means 104. 

[0108] This process is performed by program interpretation selecting means 111 and the 

interpreting means 104 shown in Fig. 3. 

[0109] In process P310, the program 102 is executed by secondary program4nterpreting means 110. 
[0110] This process is performed by the program interpretation selecting means 111 and the 
secondary interpreting means 110 shown in Fig. 3. 

[0111] The secondary interpreting means 110 has a mechanism similar to known execution systems 
included in environments capable of interpreting a program and interprets a program in a manner 
similar to the known systems. The secondary interpreting means 110 is implemented inside the 
apparatus as a separate component from the interpreting means 104. 

[0112] The program interpretation selecting means 111 is realized by, for example, the following. 
[0113] The program interpretation selecting means 111 retains the table illustrated in Fig. 11 
therein. 

[0114] An entry in this table is made up of identification data of a downloaded program and a 
corresponding value indicating the status of the program. 

[0115] The value indicating the status of the program can take only two possible values: "secure" 
or "insecure". 

[0116] Before the execution of a program, in accordance with the determination by the source 
determining means 105, the program interpretation selecting means 111 sets the value; if the result 
indicates that the program is sent from a trusted source, the source determining means 105 records 
"secure" as the value, and if not, "insecure". 

[0117] Before starting interpreting a program, the interpreting means 104 refers to the table shown 
in Fig. 11 to search for identification data for the program. Interpretation of the program is started 
only when the value indicating the program status associated with the identification data is "secure". 
[0118] If the value indicating the program status is "insecure" or an entry of the identification data 
is not present in the table, the program is executed by the secondary interpreting means 110. 
[0119] In this embodiment, the program interpretation selecting means 111 uses the table, but it 
may use another structure, such as a tree, a list, or a hash. 

[0120] When process P304 or P310 is finished, the entire processing shown in Fig. 3 is then 
completed. 

[0121] Fig. 4 shows the structure of an apparatus for executing a program according to claim 5. 
[0122] The block diagram, in which the inquiring means 107 is removed from the structure shown 
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in Fig. 4, shows an apparatus for executing a program according to claim 4. 

[0123] Fig. 8 shows a flowchart of processing in the apparatus shown in Fig. 4. 

[0124] The flowchart, in which process P407 is replaced with "performing nothing" in Fig. 8, 

shows processing in the apparatus according to claim 4. 

[0125] The structure and processing are described step by step. 

[0126] The program 102 and the identifying information 103 received through the external 
communication channel 101 are the same as those described above. 

[0127] The first process P405 in Fig. 8 is performed by the source determining means 105 shown 
in Fig. 4 and is the same as process P105 described above. 

[0128] In process P407, an inquiry as to whether to permit executing a program is made to a user. 
[0129] This process is performed by the inquiring means 107 shown in Fig. 4 and is the same as 
process P207 described above. 

[0130] In process P409, the permission information 108 indicating whether executing a program is 
permitted or not is acquired. 

[0131] This process is performed by the input means 109 shown in Fig. 4 and is the same as 
process P209 described above. 

[0132] In process P406A, the permission information 108 is read and a determination as to whether 
the user permits the execution of the program 102 or not is performed. 

[0133] This processing is performed by the program interpretation forbidding means 106 shown in 
Fig. 4. 

[0134] In process P404, the program 102 is interpreted by the interpreting means 104. 

[0135] This process is performed by the interpreting means 104 and program interpretation 

forbiddance selecting means 112 shown in Fig. 4. 

[0136] In process P410, the program 102 is executed by the secondary interpreting means 110. 

[0137] This process is performed by the program interpretation forbiddance selecting means 112 

and the secondary interpreting means 110 shown in Fig. 4. 

[0138] In process P406B, the program 102 is forbidden from being interpreted. 

[0139] This process is performed by the program interpretation forbiddance selecting means 112 

shown in Fig. 4. 

[0140] The program interpretation forbiddance selecting means 112 is realized by, for example, the 
following. 

[0141] The program interpretation forbiddance selecting means 112 retains the table illustrated in 
Fig. 12 therein. An entry in this table is made up of identification data of a downloaded program 
and a corresponding value indicating the status of the program. 

[0142] The value indicating the status of the program can take only three possible values: "secure", 
"permitted", or "forbidden". The initial value when the entry is recorded for the first time is set to 
"secure". 

[0143] In process P406A, the program interpretation selecting means 111 reads the permission 
information 108. If the permission information 108 indicates that the user permits the execution of 
the program, the program interpretation selecting means 111 records "permitted" as the value 
indicating the status of the program; if not, it records "forbidden". 

[0144] Before starting interpreting the program 102, the interpreting means 104 refers to the table 
shown in Fig. 11 to search for identification data for the program. Interpretation of the program is 
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started only when the value indicating the program status is "secure". 

[0145] If the value indicating the program status is "permitted", the program 102 is executed by the 
secondary interpreting means 110. 

[0146] If the value indicating the program status is "forbidden" or an entry of the identification data 
is not present in the table, the program 102 is not interpreted. 

[0147] In this embodiment, the program interpretation forbiddance selecting means 112 uses the 
table, but it may use another structure, such as a tree, a list, or a hash. 

[0148] When process P404, P410, or P406B is finished, the entire processing shown in Fig. 4 is 
then completed. 

[0149] The embodiments of the present invention are described above. 
[0150] 

[Advantages] As described above, according to the present invention, a program and identifying 
information indicating a source sending the program are received through an external 
communication channel, and it is determined whether the identifying information indicates a trusted 
source. 

[0151] When the result is that it has not been determined that the program is sent from a trusted 
source, an execution environment informs a user (using the execution environment) of the result, 
receives information provided by the user, and determines whether to execute the program in 
accordance with the information. Alternatively, the execution environment interprets the program 
by second interpreting means, which is different from the existing interpreting means. 
[0152] This arrangement allows an apparatus for executing a program to execute a program having 
assured security with less resources and at high speed. In addition, the security, confidentiality, and 
integrity of a downloaded program are assured while maintaining resource savings and low cost. 
[Brief Description of the Drawings] 
[Fig. 1] 

Fig. 1 shows an example of an apparatus for executing a program according to the present 
invention. 
[Fig. 2] 

Fig. 2 shows another example of the apparatus for executing a program according to the 
present invention. 
[Fig. 3] 

Fig. 3 shows still another example of the apparatus for executing a program according to the 
present invention. 
[Fig. 4] 

Fig. 4 shows still another example of the apparatus for executing a program according to the 
present invention. 
[Fig. 5] 

Fig. 5 is a flowchart showing an example of the operation of the apparatus for executing a 
program according to the present invention. 
[Fig. 6] 

Fig. 6 is a flowchart showing another example of the operation of the apparatus for 
executing a program according to the present invention. 
[Fig. 7] 
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Fig. 7 is a flowchart showing still another example of the operation of the apparatus for 
executing a program according to the present invention. 
[Fig. 8] 

Fig. 8 is a flowchart showing still another example of the operation of the apparatus for 
executing a program according to the present invention. 
[Fig. 9] 

Fig. 9 shows an example of program interpretation forbidding means. 
[Fig. 10] 

Fig. 10 shows a screen displayed by inquiring means. 
[Fig. 11] 

Fig. 11 shows an example of program interpretation selecting means. 
[Fig. 12] 

Fig. 12 shows an example of program interpretation forbiddance selecting means. 
[Reference Numerals] 

101: external communication channel 
102: program 

103: identifying information 

104: interpreting means 

105: source determining means 

106: program interpretation forbidding means 
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Fig. 2 
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Fig. 3 

101: COMMUNICATION CHANNEL 
101: COMMUNICATION CHANNEL 
102: PROGRAM 

103: IDENTIFYING INFORMATION 

104: INTERPRETING MEANS 

105: SOURCE DETERMINING MEANS 

110: SECOND ARY INTERPRETING MEANS 

111: PROGRAM INTERPRETATION SELECTING MEANS 
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Fig. 4 
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101: COMMUNICATION CHANNEL 
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103: IDENTIFYING INFORMATION 

104: INTERPRETING MEANS 

105: SOURCE DETERMINING MEANS 

107: INQUIRING MEANS 

108: PERMISSION INFORMATION 

109: INPUT MEANS 

110: SECONDARY INTERPRETING MEANS 
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D: APPARATUS (TV) FOR EXECUTING PROGRAM 

Fig. 5 

START 

P105: DOES IDENTIFYING INFORMATION INDICATE TRUSTED SOURCE? 

P104: INTERPRET PROGRAM 

P106: FORBID EXECUTION OF PROGRAM 

END 

E: PROCEDURE (I) FOR PROGRAM-EXECUTION PROCESSING 

Fig. 6 

START 

P205: DOES IDENTIFYING INFORMATION INDICATE TRUSTED SOURCE? 
P204: INTERPRET PROGRAM 

P207: INQUIRE OF USER WHETHER TO PERMIT EXECUTION OF 
PROGRAM 

P209: ACQUIRE PERMISSION INFORMATION 

P206A: DOES USER PERMIT EXECUTION OF PROGRAM? 

P206B: FORBID EXECUTION OF PROGRAM 

END 

F: PROCEDURE (II) FOR PROGRAM-EXECUTION PROCESSING 

Fig. 7 

START 

P305: DOES IDENTIFYING INFORMATION INDICATE TRUSTED SOURCE? 

P304: INTERPRET PROGRAM BY INTERPRETING MEANS 104 

P310: INTERPRET PROGRAM BY SECONDARY INTERPRETING MEANS 

110 

END 

G: PROCEDURE (HI) FOR PROGRAM^XECUTION PROCESSING 
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Fig. 8 

START 

P405: DOES IDENTIFYING INFORMATION INDICATE TRUSTED SOURCE? 
P404: INTERPRET PROGRAM BY INTERPRETING MEANS 104 
P407: INQUIRE OF USER WHETHER TO PERMIT EXECUTION OF 
PROGRAM 

P409: ACQUIRE PERMISSION INFORMATION 

P406A: DOES USER PERMIT EXECUTION OF PROGRAM? 

P406B: FORBID EXECUTION OF PROGRAM 

P410: INTERPRET PROGRAM BY SECONDARY INTERPRETING MEANS 

110 

END 

H: PROCEDURE (IV) FOR PROGRAM^XECUTION PROCESSING 

Fig. 9 

II : IDENTIFICATION DATA FOR PROGRAM 
12: STATUS OF PROGRAM 

I: EMBODIMENT OF PROGRAM INTERPRETATION FORBIDDING MEANS 

Fig. 10 

Jl: Do you permit the execution of the program "maze.cj"? 

0-Yes 

1 -No 

J: EMBODIMENT OF INQUIRING MEANS 

Fig. 11 

Kl: IDENTIFICATION DATA FOR PROGRAM 
K2: STATUS OF PROGRAM 
secured: secure 
unsecured: insecure 

K: EMBODIMENT OF PROGRAM INTERPRETATION SELECTING MEANS 

Fig. 12 

LI : IDENTIFICATION DATA FOR PROGRAM 
L2: STATUS OF PROGRAM 
secured: secure 

L: EMBODIMENT OF INTERPRETATION FORBIDDANCE SELECTING 
MEANS 
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